Secret tampering detection system, secret tampering detection apparatus, secret tampering detection method, and program

ABSTRACT

To detect tampering in secure computation while maintaining confidentiality with a little communication traffic. A random number generation part ( 11 ) generates [{right arrow over ( )}r i ], [{right arrow over ( )}s i ]. A random number multiplication part ( 12 ) computes [{right arrow over ( )}t i ]:=[{right arrow over ( )}r i {right arrow over ( )}s i ]. A secret multiplication part ( 13 ) computes [{right arrow over ( )}z]:=[{right arrow over ( )}x{right arrow over ( )}y]. A random number verification part ( 14 ) discloses a p i,j th element of each of [{right arrow over ( )}r i ], [{right arrow over ( )}s i ], [{right arrow over ( )}t i ] and confirms whether the element has integrity as multiplication. A random number substitution part ( 15 ) randomly substitutes elements in each of [{right arrow over ( )}r i ], [{right arrow over ( )}s i ], [{right arrow over ( )}t i ] except for the p i,j -th element to generate [{right arrow over ( )}r′ i ], [{right arrow over ( )}s′ i ], [{right arrow over ( )}t′ i ]. A subtraction value disclosure part ( 16 ) computes [{right arrow over ( )}x−{right arrow over ( )}r′ i ], [{right arrow over ( )}x−{right arrow over ( )}s′ i ]. A verification value computing part ( 17 ) computes [{right arrow over ( )}c i ]:=[{right arrow over ( )}z]−({right arrow over ( )}x−{right arrow over ( )}r′ i )[{right arrow over ( )}y]−({right arrow over ( )}y−{right arrow over ( )}s′ i )[{right arrow over ( )}r′ i ]−[{right arrow over ( )}t′ i ]. A verification value confirmation part ( 18 ) confirms that verification values c i  are all zero.

TECHNICAL FIELD

The present invention relates to a secure computation technique and particularly relates to a technique for detecting tampering in secure computation while maintaining confidentiality.

BACKGROUND ART

As a technique for detecting tampering while maintaining confidentiality in secure computation, there is a technique described in Non-patent literature 1 for example. The prior art described in Non-patent literature 1 is a technique in which pre-data called a multiplication triple is generated and tampering in secure computation is detected using the multiplication triple.

PRIOR ART LITERATURE Non-Patent Literature

-   Non-patent literature 1: J. Furukawa, Y. Lindell, A. Nof, and O.     Weinstein, “High-throughput secure three-party computation for     malicious adversaries and an honest majority”, IACR Cryptology     ePrint Archive, 2016:944, 2016

SUMMARY OF THE INVENTION Problems to be Solved by the Invention

In the prior art, it is necessary to previously generate the multiplication triple, which may increase a communication traffic.

An object of the present invention is to provide a secret tampering detection technique that can detect tampering in secure computation while maintaining confidentiality with a little communication traffic.

Means to Solve the Problems

In order to solve the above problem, a secret tampering detection system of the present invention is a secret tampering detection system, in which σ represents an arbitrary integer of 1 or more, N and D represent predetermined natural numbers, i represents each integer of 0 or more and less than σ, and j represents each integer of 0 or more and less than D, the secret tampering detection system including at least three secret tampering detection apparatuses, the secret tampering detection system inputting a share [{right arrow over ( )}x] that becomes a vector {right arrow over ( )}x with N elements when reconstructed and a share [{right arrow over ( )}y] that becomes a vector {right arrow over ( )}y with N elements when reconstructed, and outputting a share [{right arrow over ( )}z] that becomes a vector {right arrow over ( )}z when reconstructed, the vector {right arrow over ( )}z being a result of multiplying the vector {right arrow over ( )}x and the vector {right arrow over ( )}y for each of the elements. Each of the secret tampering detection apparatuses includes a random number generation part that generates, for each integer i, σ shares [{right arrow over ( )}r_(i)] each of which becomes a random number vector {right arrow over ( )}r_(i) with N+D elements when reconstructed and σ shares [{right arrow over ( )}s_(i)] each of which becomes a random number vector {right arrow over ( )}s_(i) with N+D elements when reconstructed, a random number multiplication part that multiplies, for each integer i, the share [{right arrow over ( )}r_(i)] and the share [{right arrow over ( )}s_(i)] by secure computation to generate σ shares [{right arrow over ( )}t_(i)] each of which becomes a vector {right arrow over ( )}t_(i) when reconstructed, the vector {right arrow over ( )}t_(i) being a result of multiplying the vector {right arrow over ( )}r_(i) and the vector {right arrow over ( )}s_(i) for each of the elements, a secret multiplication part that multiplies the share [{right arrow over ( )}x] and the share [{right arrow over ( )}y] by secure computation to generate the share [{right arrow over ( )}z], a random number verification part that randomly selects, for each integer i, D different integers p_(ij), D being 0 or more and less than D+N, and discloses a p_(ij)-th element of each of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)], to confirm whether a set of the disclosed values corresponding respectively to the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] has integrity as multiplication, a random number substitution part that generates, for each integer i, shares [{right arrow over ( )}r′_(i)], [{right arrow over ( )}s′_(i)], [{right arrow over ( )}t′_(i)] obtained by performing random substitution on elements of each of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] except for the p_(i,j)-th element, a subtraction value disclosure part that computes and discloses [{right arrow over ( )}x−{right arrow over ( )}r′_(i)], [{right arrow over ( )}y−{right arrow over ( )}s′_(i)] for each integer i, a verification value computing part that computes, for each integer i, [{right arrow over ( )}c_(i)]:=[{right arrow over ( )}z]−({right arrow over ( )}x−{right arrow over ( )}r′_(i))[{right arrow over ( )}y]−({right arrow over ( )}y−{right arrow over ( )}s′_(i))[{right arrow over ( )}r′_(i)]−[{right arrow over ( )}t′_(i)] to generate a share [{right arrow over ( )}c_(i)] that becomes a vector {right arrow over ( )}c_(i) of a verification value c_(i) when reconstructed, and a verification value confirmation part that confirms, for each integer i, that the verification values c_(i) are all zero by using the share [{right arrow over ( )}c_(i)].

Effect of the Invention

According to the present invention, it is possible to detect tampering in secure computation while maintaining confidentiality with a little communication traffic.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram illustrating a functional configuration of a secret tampering detection system;

FIG. 2 is a diagram illustrating a functional configuration of a secret tampering detection apparatus; and

FIG. 3 is a diagram illustrating a processing flow of a secret tampering detection method.

DETAILED DESCRIPTION OF THE EMBODIMENT

Hereinafter, an embodiment of the present invention will be described in detail. Note that constituent parts having the same function in the drawings are denoted by the same numeral, and the repeated description thereof will be omitted.

A right arrow “{right arrow over ( )}” as a superscript which is used in the present specification represents a vector. Although “{right arrow over ( )}” should originally be put immediately above a following character, by limitation of the text notation, “{right arrow over ( )}” will be put immediately before the character. In each formula, the symbol is put in its original position, namely, directly above the character. For example, a text with “{right arrow over ( )}x” means the same as the following expression in the formula. {right arrow over (x)}

[x] represents that a certain value x has been subjected to secret sharing. [X] represents a set of data with all sources of a certain set X subjected to the secret sharing. Hereinafter, a value subjected to the secret sharing is also referred to as a “share.” {right arrow over ( )}x{right arrow over ( )}y represents a vector as a result of multiplying a vector {right arrow over ( )}x and a vector {right arrow over ( )}y for each element. F represents an arbitrary field.

An embodiment of the present invention is a secret tampering detection system and method which perform multiplication with tampering detection, obtained by improving the secret tampering detection technique described in Non-patent literature 1. The secret tampering detection system and method of the embodiment execute a multiplication protocol with tampering detection shown in the following formula.

Scheme 1: Multiplication with tampering detection

Input: [{right arrow over ( )}x], [{right arrow over ( )}y]∈[F]^(N)

Output: [{right arrow over ( )}x{right arrow over ( )}y]∈[F]^(N), but no output when tampering is detected

Parameters: σ≥1, D∈N

1: Generating random number vector [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)]∈[F]^(N+D).

2: Calculating [{right arrow over ( )}t_(i)]:=[{right arrow over ( )}r_(i){right arrow over ( )}s_(i)] for each 0≤i<σ.

3: Calculating [{right arrow over ( )}z]:=[{right arrow over ( )}x{right arrow over ( )}y] and confirming that communication related to the computing has been terminated.

4: Randomly selecting positions p_(i,0), . . . , p_(i,D-1) for each 0≤i<σ.

Disclosing a p_(i,j)-th element corresponding to each 0≤j<D out of each of vectors [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] and confirming that its value has integrity as multiplication.

In the case of no integrity, tampering detection terminates.

Substituting the remaining, undisclosed elements by random substitution π_(i) to obtain vectors red, [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)]∈[F]^(N).

5: Disclosing [{right arrow over ( )}x−{right arrow over ( )}r′_(i)], [{right arrow over ( )}y−{right arrow over ( )}s′_(i)].

6: Calculating [{right arrow over ( )}c_(i)]:=[{right arrow over ( )}z]−({right arrow over ( )}x−r′_(i))[{right arrow over ( )}y]−({right arrow over ( )}y−{right arrow over ( )}s′_(i))[{right arrow over ( )}r′_(i)]−[{right arrow over ( )}t′_(i)].

7: Confirming that all elements of [{right arrow over ( )}c_(i)] are zero for each 0≤i<σ.

When an element which is not zero is present, tampering detection terminates.

In the above multiplication protocol with tampering detection, the following three secure computation protocols are used. The first is a multiplication protocol without tampering detection to be executed in steps 2 and 3. The existing multiplication protocol without tampering detection is described in Reference Literature 1 and the like, for example. The second is a random number generation protocol with tampering detection to be executed in step 1. The existing random number generation protocol with tampering detection is described in Reference Literature 2 and the like, for example. The third is a disclosure protocol with tampering detection to be executed in steps 4 and 5. The existing disclosure protocol with tampering detection is described in Reference Literature 3 and the like, for example.

-   Reference Literature 1: D. Ikarashi, R. Kikuchi, K. Hamada, and K.     Chida, “Actively private and correct MPC scheme in t<n/2 from     passively secure schemes with small overhead”, IACR Cryptology     ePrint Archive, 2014:304, 2014 -   Reference Literature 2: R. Cramer, I. Damgard, and Y Ishai, “Share     conversion, pseudorandom secret-sharing and applications to secure     computation”, TCC, Vol. 3378 of Lecture Notes in Computer Science,     pp. 342-362. Springer, 2005. -   Reference Literature 3: Japanese Patent Application Laid Open No.     2016-146530

A configuration example of a secret tampering detection system of the embodiment will be described with reference to FIG. 1. The secret tampering detection system includes K (≥3) secret tampering detection apparatuses 1 ₁, . . . , 1 _(K). In the present embodiment, each of the secret tampering detection apparatuses 1 ₁, . . . , 1 _(K) is connected to a communication network 2. The communication network 2 is a circuit-switching or packet-switching communication network configured so that each of the connected apparatuses can communicate with each other, and for example, the Internet, a local area network (LAN), a wide area network (WAN), or the like can be used. Note that each apparatus is not necessarily required to be able to communicate online via the communication network 2. For example, information to be input into each of the secret tampering detection apparatuses 1 ₁, . . . , 1 _(K) may be stored into a portable recording medium such as a magnetic tape or a USB memory, and may be input into each of the secret tampering detection apparatuses 1 ₁, . . . , 1 _(K) offline from the portable recording medium.

A configuration example of a secret tampering detection apparatus 1 _(k) (k=1, . . . , K) included in the secret tampering detection system will be described with reference to FIG. 2. For example, as shown in FIG. 2, the secret tampering detection apparatus 1 _(k) includes an input part 10, a random number generation part 11, a random number multiplication part 12, a secret multiplication part 13, a random number verification part 14, a random number substitution part 15, a subtraction value disclosure part 16, a verification value computing part 17, a verification value confirmation part 18, and an output part 19. The secret tampering detection apparatus 1 _(k) (1≤k≤K) performs processing of each step described below in cooperation with another secret tampering detection apparatus 1 _(k′) (k′=1, . . . , K, but k≠k′) to realize a secret tampering detection method according to the embodiment.

The secret tampering detection apparatus 1 _(k) is, for example, a special apparatus configured by reading a special program into a known or dedicated computer having a central processing unit (CPU), a main storage (random access memory: RAM), and the like. The secret tampering detection apparatus 1 _(k) executes each processing under the control of the central processing unit, for example. Data input into the secret tampering detection apparatus 1 _(k) and data obtained in each processing are stored into, for example, the main storage, and the data stored into the main storage is read out to the central processing unit as required and used for another processing. At least a portion of each processing part of the secret tampering detection apparatus 1 _(k) may be formed by hardware such as an integrated circuit.

A processing procedure of the secret tampering detection method, which is executed by the secret tampering detection system of the embodiment, will be described with reference to FIG. 3.

In step S1, shares [{right arrow over ( )}x], [{right arrow over ( )}y]∈[F]^(N) to be multiplied are input into the input part 10 of each secret tampering detection apparatus 1 _(k). [{right arrow over ( )}x] is a share which becomes a vector {right arrow over ( )}x with N elements when reconstructed. [{right arrow over ( )}y] is a share which becomes a vector {right arrow over ( )}y with N elements when reconstructed. The input part 10 inputs the shares [{right arrow over ( )}x], [{right arrow over ( )}y] into the secret multiplication part 13.

In step S2, for each integer i satisfying 0≤i<σ, the random number generation part 11 of each secret tampering detection apparatus 1 _(k) generates σ shares [{right arrow over ( )}r_(i)] each of which becomes a random number vector {right arrow over ( )}r_(i) with N+D elements when reconstructed and σ shares [{right arrow over ( )}s_(i)] each of which becomes a random number vector {right arrow over ( )}s_(i) with N+D elements when reconstructed, by using the random number generation protocol with tampering detection. Here, σ is a previously set integer of 1 or more. As σ is greater, the tampering success probability decreases, but the computing amount increases. Therefore, the value of σ may be appropriately set in view of desired safety and convenience. For example, the protocol described in above Reference Literature 2 can be applied to the random number generation protocol with tampering detection. The random number generation part 11 inputs the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)] into the random number multiplication part 12.

In step S3, the random number multiplication part 12 of each secret tampering detection apparatus 1 _(k) receives the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)] from the random number generation part 11, and for each integer i satisfying 0≤i<σ, the random number multiplication part 12 multiplies the share [{right arrow over ( )}r_(i)] and the share [{right arrow over ( )}s_(i)] by the multiplication protocol without tampering detection to generate σ shares [{right arrow over ( )}t_(i)]:[{right arrow over ( )}r_(i){right arrow over ( )}s_(i)] each of which becomes a vector {right arrow over ( )}t_(i) when reconstructed, the vector {right arrow over ( )}t_(i) being a result of multiplying the vector {right arrow over ( )}r_(i) and the vector {right arrow over ( )}s_(i) for each element. For example, the protocol described in above Reference Literature 1 can be applied to the multiplication protocol without tampering detection. The random number multiplication part 12 inputs the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] as a set into the random number verification part 14.

In step S4, the secret multiplication part 13 of each secret tampering detection apparatus 1 _(k) receives the shares [{right arrow over ( )}x], [{right arrow over ( )}y] from the input part 10, multiplies the share [{right arrow over ( )}x] and the share [{right arrow over ( )}y] by using the multiplication protocol without tampering detection, and computes the share [{right arrow over ( )}z]:=[{right arrow over ( )}x{right arrow over ( )}y] which becomes a vector {right arrow over ( )}z when reconstructed, the vector {right arrow over ( )}z being a result of multiplying the vector {right arrow over ( )}x and the vector {right arrow over ( )}y for each element. The secret multiplication part 13 inputs the shares [{right arrow over ( )}x], [{right arrow over ( )}y] into the subtraction value disclosure part 16 and inputs the shares [{right arrow over ( )}y], [{right arrow over ( )}z] into the verification value computing part 17.

In step S5, the random number verification part 14 of each secret tampering detection apparatus 1 _(k) receives the set of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] from the random number multiplication part 12 and randomly selects D different integers p_(i,0), . . . , p_(i,D-1) D being 0 or more and less than D+N, for each integer i satisfying 0≤i<σ. Here, D is a predetermined natural number. Subsequently, the random number verification part 14 discloses a p_(i,j)-th element corresponding to each integer j that satisfies 0≤j<D out of each of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] by using the disclosure protocol with tampering detection, to confirm whether a set of the disclosed values corresponding respectively to the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] has integrity as multiplication. For example, the protocol described in above Reference Literature 3 can be applied to the disclosure protocol with tampering detection. When there is a set of values without integrity as multiplication, the output part 19 outputs information indicating that tampering has been detected, and terminates the processing. When all the sets of values have integrity as multiplication, the random number verification part 14 inputs the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] and the integer p_(i,j) into the random number substitution part 15.

In step S6, the random number substitution part 15 receives the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] and an integer p_(i,j) from the random number verification part 14, and for each integer i satisfying 0≤i<σ, the random number substitution part 15 substitutes undisclosed elements (i.e., elements except for the p_(i,j)-th element) of each of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] by previously set random substitution π_(i) to generate shares [{right arrow over ( )}r′_(i)], [{right arrow over ( )}s′_(i)], [{right arrow over ( )}t′_(i)]∈[F]^(N). The random number substitution part 15 inputs the shares [{right arrow over ( )}r′_(i)], [{right arrow over ( )}s′_(i)] into the subtraction value disclosure part 16 and inputs the shares [{right arrow over ( )}r′_(i)], [{right arrow over ( )}t′_(i)] into the verification value computing part 17.

In step S7, the subtraction value disclosure part 16 of each secret tampering detection apparatus 1 _(k) receives the shares [{right arrow over ( )}x], [{right arrow over ( )}y] from the secret multiplication part 13 and the shares [{right arrow over ( )}r′_(i)], [{right arrow over ( )}s′_(i)] from the random number substitution part 15, and for each integer i satisfying 0≤i<σ, the subtraction value disclosure part 16 computes and discloses [{right arrow over ( )}x−{right arrow over ( )}r′_(i)], [{right arrow over ( )}y−{right arrow over ( )}s′_(i)] by using the disclosure protocol with tampering detection. The subtraction value disclosure part 16 inputs the disclosed vectors ({right arrow over ( )}x−{right arrow over ( )}r′_(i)), ({right arrow over ( )}y−{right arrow over ( )}s′_(i)) into the verification value computing part 17.

In step S8, the verification value computing part 17 of each secret tampering detection apparatus 1 _(k) receives the shares [{right arrow over ( )}y], [{right arrow over ( )}z] from the secret multiplication part 13, the shares [{right arrow over ( )}r′_(i)], [{right arrow over ( )}t′_(i)] from the random number substitution part 15, and the vectors ({right arrow over ( )}x−{right arrow over ( )}r′_(i)), ({right arrow over ( )}y−s′_(i)) from the subtraction value disclosure part 16, and for each integer i satisfying 0≤i<σ, the verification value computing part 17 computes Formula (1) to generate a share [{right arrow over ( )}c_(i)] which becomes a vector {right arrow over ( )}c_(i) of a verification value c_(i) when reconstructed. The verification value computing part 17 inputs the shares [{right arrow over ( )}z], [{right arrow over ( )}c_(i)] into the verification value confirmation part 18. [{right arrow over (c)} _(i)]:=[{right arrow over (z)}]−({right arrow over (x)}−{right arrow over (r)} _(i)′)[{right arrow over (y)}]−({right arrow over (y)}−{right arrow over (s)} _(i)′)[{right arrow over (r)} _(i)]−[{right arrow over (t)} _(i)]  (1)

In step S9, the verification value confirmation part 18 of each secret tampering detection apparatus 1 _(k) receives the shares [{right arrow over ( )}z], [{right arrow over ( )}c_(i)] from the verification value computing part 17, and for each integer i satisfying 0≤i<σ, the verification value confirmation part 18 discloses the vector {right arrow over ( )}c_(i) of the verification value c_(i) from the share [{right arrow over ( )}c_(i)] by using the disclosure protocol with tampering detection. The verification value confirmation part 18 then confirms that all elements of the disclosed vector {right arrow over ( )}c_(i) are zero. When an element which is not zero is included in the disclosed vector {right arrow over ( )}c_(i), the output part 19 outputs information indicating that tampering has been detected, and terminates the processing. When all the elements of the disclosed vector {right arrow over ( )}c_(i) are zero, the verification value confirmation part 18 inputs the received vector [{right arrow over ( )}z] into the output part 19.

In step S10, the output part 19 of the secret tampering detection apparatus 1 _(k) outputs the vector [{right arrow over ( )}z] received from the verification value confirmation part 18.

Generally, in the multiplication protocol without tampering detection, an attacker would be able to perform tampering. However, in the secret tampering detection system of the embodiment, after the multiplication is performed in step S4, the random number vector is verified in step S5 to prevent the tampering. In order for the attacker to succeed in tampering, the attacker should perform tampering in step S3 as well and perform tampering so as to make the share [{right arrow over (t)}_(i)] to be used for the verification consistent. However, as the number of times of tampering is increased, the probability of detecting tampering increases due to the disclosure in step S5. Conversely, as the number of times of tampering is decreased, the probability of illegal passage of the verification is decreased. By performing σ times of verification with such properties, the tampering success probability can be O(N⁻σ).

The above embodiment can be made further efficient in such a manner as follows. In the above embodiment, the confirmation of whether all the verification values c_(i) are zero in step S9 has been performed by disclosing the verification values c_(i) from the share [{right arrow over ( )}c_(i)] and confirming each of those. Here, by computing a checksum formed by a product sum of each element of the share [{right arrow over (c)}_(i)] of the vector {right arrow over ( )}c_(i) of the verification value c_(i) with a random number and confirming that the checksum is zero, it is possible to confirm the verification values with the communication traffic not depending on the size of N. As such a checksum, for example, a checksum described in Reference Literature 4 below can be used.

-   Reference Literature 4: International Publication No. WO 2014/112550

The checksum described in Reference Literature 4 is computed as follows. In the following description, q is an integer of 2 or more, ρ is the minimum integer of (N+D)/q or more, and R is a ring. The verification value confirmation part 18 divides the share [{right arrow over ( )}c_(i)], which becomes the vector {right arrow over ( )}c_(i) of the verification value c_(i) when reconstructed, into q pieces each from the head to generate ρ value vectors A₀, . . . , Aρ⁻¹. When the number of elements of the last value vector Aρ⁻¹ is not q at the time of division, the elements are padded with any value (e.g., 0) so that the number of elements is q. The verification value confirmation part 18 selects a random number r∈R^(q) and computes a checksum c by Formula (2).

$\begin{matrix} {c:={\sum\limits_{0 \leq i < \rho}{A_{i}r^{i + 1}}}} & (2) \end{matrix}$

At this time, the multiplication of the vectors is performed using a function f defined by Formulas (3) and (4).

$\begin{matrix} {{{f\left( {\overset{\rightarrow}{x},\overset{\rightarrow}{y}} \right)}:={f_{0}\left( {\overset{\rightarrow}{x},\overset{\rightarrow}{y}} \right)}},\ldots\mspace{14mu},{f_{q - 1}\left( {\overset{\rightarrow}{x},\overset{\rightarrow}{y}} \right)}} & (3) \\ {{f_{i}\left( {\overset{\rightarrow}{x},\overset{\rightarrow}{y}} \right)}:={\sum\limits_{j,{k < q}}{\alpha_{i,j,k}x_{j}y_{k}}}} & (4) \end{matrix}$

Here, α_(i,j,k) (i=0, . . . , q−1; j=0, . . . , q−1; k=0, . . . , q−1) is a parameter for uniform association of the elements of two rings R^(q) with the elements of one ring R^(q). There can be a plurality of types of parameters α_(i,j,k), but in consideration of simplifying the computation, it is desirable that q³ values with the largest number of 0's included therein is selected as the parameter α_(i,j,k). For example, when R is a field and the parameter α_(i,j,k) is determined so that R^(q) is an enlarged field of the field R, it is possible to efficiently detect tampering.

A result of comparing the communication traffic between the embodiment and the prior art is shown. For example, when the comparison is made between a case where a field F in the embodiment is a finite field GF(2) with the order of 2 and the technique described in Non-patent literature 1, with the same tampering success probability O(N⁻²), the communication traffic of each party is about 10N bits in Non-patent literature 1, whereas the communication traffic is only about 7N bits in the embodiment.

The points of the present invention are as follows. At first, in Non-patent literature 1 that is the prior art, the tampering detection is performed on the multiplication triple. On the other hand, in the present invention, from the beginning, the tampering detection using the multiplication triple is performed on the multiplication to be computed. Further, in Non-patent literature 1, the processing is performed with an integer multiple of the number of multiplications to be computed taken as a unit. On the other hand, in the present invention, the processing can be performed in parallel in the unit that is the same as the number of multiplications to be computed. Therefore, the multiplication with tampering detection can be performed more efficiently than in the prior art.

Although the embodiment of the present invention has been described above, a specific configuration is not limited to these embodiments, and even if there is an appropriate design change or the like without departing from the scope of the invention, it is needless to say that such a change or the like is included in the present invention. Various sorts of processing described in the embodiment are not only executed chronologically in the order described but may be executed in parallel or individually as required or in accordance with the processing capacity of the apparatus that executes the processing.

<Program and Recording Medium>

In a case where various processing functions in each apparatus described in the above embodiment are realized by a computer, a program describes the processing contents of the functions to be provided in each apparatus. Then, by the computer executing the program, various processing functions in each apparatus described above are realized on the computer.

The program describing the processing contents can be recorded in a computer-readable recording medium. The computer-readable recording medium may, for example, be a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory, or the like.

The program is distributed by, for example, the sale, transfer, lending, or the like of a portable recording medium such as a DVD or a CD-ROM in which the program is recorded. Further, the program may be previously stored into a storage device of a server computer, and the program may be transferred from the server computer to another computer via the network to distribute the program.

The computer to execute such a program first stores a program, such as a program recorded in a portable recording medium or a program transferred from the server computer, temporarily into its own storage. Then, at the time of executing the processing, the computer reads the program stored in its own storage and executes the processing in accordance with the read program. As another form of executing the program, the computer may read the program directly from the portable recording medium and executes the processing in accordance with the program, or further, each time the program is transferred from the server computer to the computer, the computer may successively execute the processing in accordance with the received program. The program may not be transferred from the server computer to the computer, but the processing described above may be executed by a so-called ASP (application service provider) service that realizes the processing functions only by instructing the execution and obtaining the result. Note that the program in the present form includes one equivalent to a program, the one being information to be used for processing by an electronic computer (data that is not a direct command to the computer but has the property of defining the processing of the computer).

Further, in the present form, the present apparatus has been configured by executing predetermined programs on the computer, but at least some of the processing contents of these may be realized in hardware. 

What is claimed is:
 1. A secret tampering detection system, in which σ represents an arbitrary integer of 1 or more, N and D represent predetermined natural numbers, i represents each integer of 0 or more and less than a, and j represents each integer of 0 or more and less than D, the secret tampering detection system including at least three secret tampering detection apparatuses, the secret tampering detection system inputting a share [{right arrow over ( )}x] that becomes a vector {right arrow over ( )}x with N elements when reconstructed and a share [{right arrow over ( )}y] that becomes a vector {right arrow over ( )}y with N elements when reconstructed, and outputting a share [{right arrow over ( )}z] that becomes a vector {right arrow over ( )}z when reconstructed, the vector {right arrow over ( )}z being a result of multiplying each element of the vector {right arrow over ( )}x and each element of the vector {right arrow over ( )}y respectively, wherein each of the secret tampering detection apparatuses includes processing circuitry configured to: generate, for each integer i, σ shares [{right arrow over ( )}r_(i)] each of which becomes a random number vector {right arrow over ( )}r_(i) with N+D elements when reconstructed and σ shares [{right arrow over ( )}s_(i)] each of which becomes a random number vector {right arrow over ( )}s_(i) with N+D elements when reconstructed; multiply, for each integer i, the share [{right arrow over ( )}r_(i)] and the share [{right arrow over ( )}s_(i)] by secure computation to generate σ shares [{right arrow over ( )}t_(i)] each of which becomes a vector {right arrow over ( )}t_(i) when reconstructed, the vector {right arrow over ( )}t_(i) being a result of multiplying each element of the vector {right arrow over ( )}r_(i) and each element of the vector {right arrow over ( )}s_(i) respectively; multiply the share [{right arrow over ( )}x] and the share [{right arrow over ( )}y] by secure computation to generate the share [{right arrow over ( )}z]; randomly select, for each integer i, D different integers p_(i,j), each of the integers p_(i,j) being 0 or more and less than D+N, and discloses a p_(i,j)-th element of each of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)], to confirm whether a set of the disclosed values corresponding respectively to the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] has integrity as multiplication; generate, for each integer i, shares [{right arrow over ( )}r′_(i)], [{right arrow over ( )}s′_(i)], [{right arrow over ( )}t′_(i)] obtained by performing random substitution on predetermined elements of each of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)], where the predetermined elements are all elements except for the p_(i,j)-th element; compute and disclose [{right arrow over ( )}x−{right arrow over ( )}r′_(i)], [{right arrow over ( )}y−{right arrow over ( )}s′_(i)] for each integer i; compute, for each integer i, [{right arrow over ( )}c_(i)]:=[{right arrow over ( )}z]−({right arrow over ( )}x−{right arrow over ( )}r′_(i)) [{right arrow over ( )}y]−({right arrow over ( )}y−{right arrow over ( )}s′_(i)) [{right arrow over ( )}r′_(i)]−[{right arrow over ( )}t′_(i)] to generate a share [{right arrow over ( )}c_(i)] that becomes a vector {right arrow over ( )}c_(i) of a verification value c_(i) when reconstructed, and confirm, for each integer i, that the verification values c_(i) are all zero by using the share [{right arrow over ( )}c_(i)].
 2. The secret tampering detection system according to claim 1, wherein the processing circuitry generates the share [{right arrow over ( )}r_(i)] and the share [{right arrow over ( )}s_(i)] by using a random number generation protocol which can detect tampering during processing, the processing circuitry multiplies the share [{right arrow over ( )}r_(i)] and the share [{right arrow over ( )}s_(i)] by using a multiplication protocol which do not detect tampering during processing, the processing circuitry multiplies the share [{right arrow over ( )}x] and the share [{right arrow over ( )}y] by using the multiplication protocol which do not detect tampering during processing, the processing circuitry discloses the p_(i,j)-th element of each of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] by using a disclosure protocol which can detect tampering during processing, and the processing circuitry discloses the [{right arrow over ( )}x−{right arrow over ( )}r′_(i)], [{right arrow over ( )}y−{right arrow over ( )}s′_(i)] by using the disclosure protocol which can detect tampering during processing.
 3. The secret tampering detection system according to claim 1, wherein the processing circuitry computes a checksum formed by a product sum of each element of the share [{right arrow over ( )}c_(i)] and a power of a random number r, and confirms that all the verification values c_(i) are zero based on whether the checksum c is zero.
 4. A secret tampering detection apparatus, in which c represents an arbitrary integer of 1 or more, N and D represent predetermined natural numbers, i represents each integer of 0 or more and less than a, and j represents each integer of 0 or more and less than D, the secret tampering detection apparatus inputting a share [{right arrow over ( )}x] that becomes a vector {right arrow over ( )}x with N elements when reconstructed and a share [{right arrow over ( )}y] that becomes a vector {right arrow over ( )}y with N elements when reconstructed, and outputting a share [{right arrow over ( )}z] that becomes a vector {right arrow over ( )}z when reconstructed, the vector {right arrow over ( )}z being a result of multiplying each element of the vector {right arrow over ( )}x and each element of the vector {right arrow over ( )}y respectively, the secret tampering detection apparatus comprising processing circuitry configured to: generate, for each integer i, σ shares [{right arrow over ( )}r_(i)] each of which becomes a random number vector {right arrow over ( )}r_(i) with N+D elements when reconstructed and σ shares [{right arrow over ( )}s_(i)] each of which becomes a random number vector {right arrow over ( )}s_(i) with N+D elements when reconstructed; multiply, for each integer i, the share [{right arrow over ( )}r_(i)] and the share [{right arrow over ( )}s_(i)] by secure computation to generate σ shares [{right arrow over ( )}t_(i)] each of which becomes a vector {right arrow over ( )}t_(i) when reconstructed, the vector {right arrow over ( )}t_(i) being a result of multiplying each element of the vector {right arrow over ( )}r_(i) and each element of the vector {right arrow over ( )}s_(i) respectively; multiply the share [{right arrow over ( )}x] and the share [{right arrow over ( )}y] by secure computation to generate the share [{right arrow over ( )}z]; randomly select, for each integer i, D different integers p_(i,j), each of the integers p_(i,j) being 0 or more and less than D+N, and discloses a p_(i,j)-th element of each of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)], to confirm whether a set of the disclosed values corresponding respectively to the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}t_(i)] has integrity as multiplication; generate, for each integer i, shares [{right arrow over ( )}r′_(i)], [{right arrow over ( )}s′_(i)], [{right arrow over ( )}t′_(i)] obtained by performing random substitution on predetermined elements of each of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)], where the predetermined elements are all elements except for the p_(i,j)-th element; compute and discloses [{right arrow over ( )}x−{right arrow over ( )}r′_(i)], [{right arrow over ( )}y−{right arrow over ( )}s′_(i)] for each integer i; compute, for each integer i, [{right arrow over ( )}c_(i)]:=[{right arrow over ( )}z]−({right arrow over ( )}x−{right arrow over ( )}r′_(i)) [{right arrow over ( )}r′_(i)]−[{right arrow over ( )}t_(i)] to generate a share [{right arrow over ( )}c_(i)] that becomes a vector {right arrow over ( )}c_(i) of a verification value c_(i) when reconstructed; and confirm, for each integer i, that the verification values c_(i) are all zero by using the share [{right arrow over ( )}c_(i)].
 5. A secret tampering detection method, in which represents an arbitrary integer of 1 or more, N and D represent predetermined natural numbers, i represents each integer of 0 or more and less than σ, and j represents each integer of 0 or more and less than D, the secret tampering detection method being executed by a secret tampering detection system that includes at least three secret tampering detection apparatuses, the secret tampering detection method inputting a share [{right arrow over ( )}x] that becomes a vector {right arrow over ( )}x with N elements when reconstructed and a share [{right arrow over ( )}y] that becomes a vector {right arrow over ( )}y with N elements when reconstructed, and outputting a share [{right arrow over ( )}z] that becomes a vector {right arrow over ( )}z when reconstructed, the vector {right arrow over ( )}z being a result of multiplying each element of the vector {right arrow over ( )}x and each element of the vector {right arrow over ( )}y respectively, the secret tampering detection method comprising: generating, for each integer i, σ shares [{right arrow over ( )}r_(i)] each of which becomes a random number vector {right arrow over ( )}r_(i) with N+D elements when reconstructed and σ shares [{right arrow over ( )}s_(i)] each of which becomes a random number vector {right arrow over ( )}s_(i) with N+D elements when reconstructed by processing circuitry of each of the secret tampering detection apparatuses; multiplying, for each integer i, the share [{right arrow over ( )}r_(i)] and the share [{right arrow over ( )}s_(i)] by secure computation to generate σ shares [{right arrow over ( )}t_(i)] each of which becomes a vector {right arrow over ( )}t_(i) when reconstructed, the vector {right arrow over ( )}t_(i) being a result of multiplying each element of the vector {right arrow over ( )}r_(i) and each element of the vector {right arrow over ( )}s_(i) respectively for each of the elements by the processing circuitry of each of the secret tampering detection apparatuses; multiplying the share [{right arrow over ( )}x] and the share [{right arrow over ( )}y] by secure computation to generate the share [{right arrow over ( )}z] by the processing circuitry of each of the secret tampering detection apparatuses; randomly selecting, for each integer i, D different integers p_(i,j), each of the integers p_(i,j) being 0 or more and less than D+N, and discloses a p_(i,j)-th element of each of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)], to confirm whether a set of the disclosed values corresponding respectively to the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] has integrity as multiplication by the processing circuitry of each of the secret tampering detection apparatuses; generating, for each integer i, shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s′_(i)], [{right arrow over ( )}t_(i)] obtained by performing random substitution on predetermined elements of each of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)], where the predetermined elements are all elements except for the p_(i,j)-th element by the processing circuitry of each of the secret tampering detection apparatuses; computing and disclosing [{right arrow over ( )}x−{right arrow over ( )}r′_(i)], [{right arrow over ( )}y−{right arrow over ( )}s′_(i)] for each integer i by the processing circuitry of each of the secret tampering detection apparatuses; computing, for each integer i, [{right arrow over ( )}c_(i)]:=[{right arrow over ( )}z]−({right arrow over ( )}x−{right arrow over ( )}r′_(i)) [{right arrow over ( )}y]−({right arrow over ( )}y−{right arrow over ( )}s′_(i)) [{right arrow over ( )}r′_(i)]−[{right arrow over ( )}t′_(i)] to generate a share [{right arrow over ( )}c_(i)] that becomes a vector {right arrow over ( )}c_(i) of a verification value c_(i) when reconstructed by the processing circuitry of each of the secret tampering detection apparatuses; and confirming, for each integer i, that the verification values c_(i) are all zero by using the share [{right arrow over ( )}c_(i)] by the processing circuitry of each of the secret tampering detection apparatuses.
 6. A non-transitory computer readable medium including computer executable instructions that make a secret tampering detection apparatus, in which c represents an arbitrary integer of 1 or more, N and D represent predetermined natural numbers, i represents each integer of 0 or more and less than σ, and j represents each integer of 0 or more and less than D, the secret tampering detection apparatus inputting a share [{right arrow over ( )}x] that becomes a vector {right arrow over ( )}x with N elements when reconstructed and a share [{right arrow over ( )}y] that becomes a vector {right arrow over ( )}y with N elements when reconstructed, and outputting a share [{right arrow over ( )}z] that becomes a vector {right arrow over ( )}z when reconstructed, the vector {right arrow over ( )}z being a result of multiplying each element of the vector {right arrow over ( )}x and each element of the vector {right arrow over ( )}y respectively, the secret tampering detection apparatus performs a method comprising: generating, for each integer i, σ shares [{right arrow over ( )}r_(i)] each of which becomes a random number vector {right arrow over ( )}r_(i) with N+D elements when reconstructed and σ shares [{right arrow over ( )}s_(i)] each of which becomes a random number vector {right arrow over ( )}s_(i) with N+D elements when reconstructed; multiplying, for each integer i, the share [{right arrow over ( )}r_(i)] and the share [{right arrow over ( )}s_(i)] by secure computation to generate σ shares [{right arrow over ( )}t_(i)] each of which becomes a vector {right arrow over ( )}t_(i) when reconstructed, the vector {right arrow over ( )}t_(i) being a result of multiplying each element of the vector {right arrow over ( )}r_(i) and each element of the vector {right arrow over ( )}s_(i) respectively; multiplying the share [{right arrow over ( )}x] and the share [{right arrow over ( )}y] by secure computation to generate the share [{right arrow over ( )}z]; randomly selecting, for each integer i, D different integers p_(i,j), each of the integers p_(i,j) being 0 or more and less than D+N, and discloses a p_(i,j)-th element of each of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)], to confirm whether a set of the disclosed values corresponding respectively to the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)] has integrity as multiplication; generating, for each integer i, shares [{right arrow over ( )}r′_(i)], [{right arrow over ( )}s′_(i)], [{right arrow over ( )}t′_(i)] obtained by performing random substitution on predetermined elements of each of the shares [{right arrow over ( )}r_(i)], [{right arrow over ( )}s_(i)], [{right arrow over ( )}t_(i)], where the predetermined elements are all elements except for the p_(i,j)-th element; computing and disclosing [{right arrow over ( )}x−{right arrow over ( )}r′_(i)], [{right arrow over ( )}y−{right arrow over ( )}s′_(i)] for each integer i; computing, for each integer i, [{right arrow over ( )}c_(i)]:=[{right arrow over ( )}z]−({right arrow over ( )}x−{right arrow over ( )}r′_(i)) [{right arrow over ( )}r′_(i)]−[{right arrow over ( )}t′_(i)] to generate a share [c_(i)] that becomes a vector {right arrow over ( )}c_(i) of a verification value c_(i) when reconstructed; and confirming, for each integer i, that the verification values c_(i) are all zero by using the share [{right arrow over ( )}c_(i)]. 